Provided by: proxytunnel_1.12.1-1build2_amd64 bug

NAME

       proxytunnel - program to tunnel a connection through a standard HTTPS proxy

SYNOPSIS

       proxytunnel [OPTION...] [host:port]

DESCRIPTION

       proxytunnel is a program to tunnel any connection through a standard HTTPS proxy,
       circumventing standard HTTP filtering mechanisms. It’s mostly used as a backend for
       OpenSSH’s ProxyCommand, and as a proxy backend for Putty. It can also be used for other
       proxy-traversing purposes like proxy bouncing.

OPTIONS

       -i, --inetd
           Run from inetd (default: off).

       -a, --standalone=[address:]port
           Run as standalone daemon on specified address and port.  address may be a IPv4
           address, a bracket-enclosed IPv6 address or a bracket-enclosed combination of IPv6
           address, '%' and interface name. The latter format is only required with link-local
           IPv6 addresses. The daemon listens on any address if address is not given.

           Examples
               22, 123.45.67.89:22, [2001:db8::123:4567:89ab:cdef]:22,
               [2001:db8::123:4567:89ab:cdef%eth0]:22

       -p, --proxy=host:port
           Use host and port as the local proxy to connect to, if not specified the HTTP_PROXY
           environment variable, if set, will be used instead.

       -r, --remproxy=host:port
           Use host and port as the remote (secondary) proxy to connect to.

       -d, --dest=host:port
           Use host and port as the destination for the tunnel, you can also specify them as the
           argument to the proxytunnel command.

       -e, --encrypt
           SSL encrypt data between local proxy and destination.

       -E, --encrypt-proxy
           SSL encrypt data between client and local proxy.

       -X, --encrypt-remproxy
           SSL encrypt data between local and remote (secondary) proxy.

ADDITIONAL OPTIONS

       -W, --wa-bug-29744
           Workaround ASF Bugzilla 29744: If SSL is in use (by -e, -E, -X options), stop using it
           immediately after the CONNECT exchange to workaround apache server bugs (This might
           not work on all setups).

       -B, --buggy-encrypt-proxy
           Equivalent to -E -W (Provided for backwards compatibility).

       -z, --no-check-certificate
           Do not verify server SSL certificate when establishing an SSL connection. By default,
           the server SSL certificate is verified and the target host name is checked against the
           server certificate’s subject alternative names if any are present, or common name if
           there are no subject alternative names.

       -C, --cacert=filename/directory
           Specify a CA certificate file (or directory containing CA certificate(s)) to trust
           when verifying a server SSL certificate. If a directory is provided, it must be
           prepared with OpenSSL’s c_rehash tool (default, unless changed at compile time using
           DEFAULT_CA_FILE or DEFAULT_CA_DIR options: /etc/ssl/certs).

       -4, --ipv4
           Enforce the use of IPv4 when connecting to the local proxy.

       -6, --ipv6
           Enforce the use of IPv6 when connecting to the local proxy.

       -F, --passfile=filename
           Use filename for reading username and password for HTTPS proxy authentication, the
           file uses the same format as .wgetrc and can be shared with wget. Use this option, or
           environment variables to hide the password from other users.

       -P, --proxyauth=username:password
           Use username and password as credentials to authenticate against a local HTTPS proxy,
           the username and password can also be specified in the PROXYUSER and PROXYPASS
           environment variables to hide them from other users. If the password is omitted and no
           PROXYPASS environment variable is set, proxytunnel will prompt for a password.

       -R, --remproxyauth=username:password
           Use username and password as credentials to authenticate against a remote (secondary)
           HTTPS proxy, the username and password can also be specified in the REMPROXYUSER and
           REMPROXYPASS environment variables to hide them from other users. If the password is
           omitted and no REMPROXYPASS environment variable is set, proxytunnel will prompt for a
           password.

       -c, --cert=filename
           Provide the name of the file containing the SSL client certificate to authenticate by
           client certificate against local proxy, remote proxy or destination. The file must be
           in PEM format. On top of this it may contain one or more intermediary certificates
           missing at the servers’s end, effectively forming a certificate chain. Requires
           specification of -k, --key in addition. Ignored if neither -e, --encrypt nor -E,
           --encrypt-proxy nor -X, --encrypt-remproxy is given.

       -k, --key=filename
           Provide the name of the file containing the SSL client key to authenticate by client
           certificate against local proxy, remote proxy or destination. The file must be in PEM
           format. Requires specification of -c, --cert in addition. Ignored if neither -e,
           --encrypt nor -E, --encrypt-proxy nor -X, --encrypt-remproxy is given.

       -N, --ntlm
           Use NTLM based authentication.

       -t, --domain=STRING
           Specify NTLM domain (default: autodetect).

       -H, --header=STRING
           Add additional HTTP headers to send to proxy.

       -o, --host=host[:port]
           Send a custom Host header. With SSL connections host is also sent as SNI.

       -x, --proctitle=STRING
           Use a different process title.

MISCELLANEOUS OPTIONS

       -v, --verbose
           Turn on verbosity.

       -q, --quiet
           Suppress messages.

       -h, --help
           Print help and exit.

       -V, --version
           Print version and exit.

ARGUMENTS

       host:port is the destination hostname and port number combination.

           Note
           Specifying the destination as arguments is exactly the same as specifying them using
           the -d or --dest option.

USAGE

       Depending on your situation you might want to do any of the following things:

       •   Connect through a local proxy to your home system on port 22

               $ proxytunnel -v -p proxy.company.com:8080 -d system.home.nl:22

       •   Connect through a local proxy (with authentication) to your home system

               $ proxytunnel -v -p proxy.company.com:8080 -P username:password -d system.home.nl:22

       •   Connect through a local proxy (with authentication) hiding your password

               $ export PROXYPASS=password
               $ proxytunnel -v -p proxy.company.com:8080 -P username -d system.home.nl:22

       •   Connect through a local proxy to a remote proxy and bounce to any system

               $ proxytunnel -v -p proxy.company.com:8080 -r proxy.athome.nl:443 -d system.friend.nl:22

       •   Connect using SSL through a local proxy to your home system

               $ proxytunnel -v -E -p proxy.company.com:8080 -d system.home.nl:22

OPENSSH CONFIGURATION

       To use this program with OpenSSH to connect to a host somewhere, create a ~/.ssh/config
       file with the following content:

           Host system.athome.nl
               ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
               ServerAliveInterval 30

           Note
           The ServerAliveInterval directive makes sure that idle connections are not being
           dropped by intermediate firewalls that remove active sessions aggressively. If you see
           your connection dropping out, try to lower the value even more.

       To use the dynamic (SOCKS) portforwarding capability of the SSH client, you can specify
       the DynamicForward directive in your ssh_config file like:

           Host system.athome.nl
               DynamicForward 1080
               ProxyCommand proxytunnel -p proxy.company.com:8080 -d %h:%p
               ServerAliveInterval 30

NOTES

           Important
           Most HTTPS proxies do not allow access to ports other than HTTPS (tcp/443) and SNEWS
           (tcp/563). In this case you need to make sure the SSH daemon or remote proxy on the
           destination system is listening on either tcp/443 or tcp/563 to get through.

ENVIRONMENT

       Proxytunnel can be influenced by setting one of the following environment variables:

       HTTP_PROXY
           If this environment variable is set, proxytunnel will use it as the local proxy if -p
           or --proxy is not provided.

       PROXYUSER
           If this environment variable is set, proxytunnel will use it as the username for proxy
           authentication, unless specified using the -P or --proxyauth option.

       PROXYPASS
           If this environment variable is set, proxytunnel will use it as the password for proxy
           authentication, unless specified using the -P or --proxyauth option.

       REMPROXYUSER
           If this environment variable is set, proxytunnel will use it as the username for
           remote (secondary) proxy authentication, unless specified using the -R or
           --remproxyauth option.

       REMPROXYPASS
           If this environment variable is set, proxytunnel will use it as the password for
           remote (secondary) proxy authentication, unless specified using the -R or
           --remproxyauth option.

SEE ALSO

           ssh(1), ssh_config(8)

BUGS

       This software is bug-free, at least we’d like to think so. If you do not agree with us,
       please provide the proof with your friendly report at
       https://github.com/proxytunnel/proxytunnel/issues :)

AUTHOR

       This manpage was initially written by Loïc Le Guyader <loic.leguyader@laposte.net[1]> for
       the Debian GNU/Linux system, revamped in asciidoc by Dag Wieërs <dag@wieers.com[2]> and is
       now maintained by the Proxytunnel developers.

       Homepages at https://proxytunnel.sourceforge.io and
       https://github.com/proxytunnel/proxytunnel

NOTES

        1. loic.leguyader@laposte.net
           mailto:loic.leguyader@laposte.net

        2. dag@wieers.com
           mailto:dag@wieers.com

  1.12.1                                    2024-02-06                             PROXYTUNNEL(1)